Cascaded Hiding Network (HNet) Overview
- The paper introduces a cascaded Hiding Network (HNet) that embeds recoverable watermarks into images post-task to conceal data without altering visual quality.
- It describes two operational forms—box-free watermarking and a shared deep network formulation—leveraging U-Net inspired architecture for dual-purpose style transfer and data hiding.
- Experimental evaluations demonstrate 100% watermark removal success using forward-surrogate attacks, achieving high fidelity with metrics like 34.69 dB PSNR and MS-SSIM > 0.990.
Searching arXiv for the provided HNet-related papers and closely related terminology. Cascaded Hiding Network (HNet) denotes a neural hiding component or hiding-oriented network organization in which concealed functionality is embedded within an apparently ordinary image-processing pipeline. In the explicit box-free watermarking formulation, HNet is cascaded after a task network and before watermark extraction, so that the released image is visually similar to the task output while carrying a recoverable mark. In the closely related “hiding data hiding” formulation, a single shared deep network behaves in an HNet-style manner by openly performing style transfer while secretly acting as both data embedder and extractor under different paired inputs. Across these formulations, the defining idea is not only to hide payloads in images, but also to hide the existence or operational role of the hiding mechanism itself (An et al., 24 Jul 2025, Wu et al., 2021).
1. Conceptual scope and nomenclature
In the box-free watermarking setting, the protected system is a cascade of three components: GNet, which performs the image task itself; HNet, which embeds the watermark into the GNet output; and ENet, which extracts the watermark from the marked output. The pipeline is
Here, is the input image, is the processed but unmarked output from GNet, is the final marked output released by the system, and is the watermark image. The paper further defines the externally exposed black-box service as
Within this terminology, HNet is the actual watermark embedder, whereas GNet produces the semantic or content transformation and ENet verifies watermark presence (An et al., 24 Jul 2025).
The 2021 “hiding data hiding” framework does not explicitly use the name HNet, but it is described as a single shared deep network that behaves like a multi-purpose, cascaded hiding network. The proposed DNN is trained so that, with input , it performs style transfer; with input , it performs data embedding; and with input , it performs data extraction. In that formulation, the hiding functions are camouflaged as an ordinary task, namely style transfer. This suggests that “Cascaded Hiding Network” can refer not only to an explicit post-task watermarking module, but also to a shared hidden-functionality network whose visible behavior masks covert embedding and recovery capabilities (Wu et al., 2021).
2. Cascaded operational forms
The most explicit cascaded form occurs in box-free watermarking, where HNet is inserted after the task network. The user or attacker observes only the final marked image 0, not the intermediate task output 1. This separation is central to the security claim of box-free watermarking: the watermarking mechanism is hidden inside ONet, and the unmarked image is never directly exposed (An et al., 24 Jul 2025).
The HDH formulation realizes a different but structurally related cascade. The same network 2 is applied twice in sequence:
3
The first application creates a stego image 4, and the second application reconstructs the secret from the stego image and a trigger image:
5
This is an implicit two-stage hidden pipeline in which embedding and extraction are both internalized by the same parameter set 6. The paper emphasizes that task selection is controlled by the second input image: the style image 7 selects style transfer mode, the binary secret image 8 selects embedding mode, and the trigger image 9 selects extraction mode. A fully black image, with all pixels equal to zero, is used as the default trigger, and the paper states that without it the network will not recover the secret reliably (Wu et al., 2021).
These two operational forms differ in decomposition. The box-free watermarking literature separates the task model, hiding model, and extractor into GNet, HNet, and ENet. The HDH framework does not split the hiding system into separate encoder and decoder modules; instead, one encoder-decoder backbone doubles as an embedding generator, an extraction reconstructor, and a style-transfer synthesizer. A plausible implication is that “cascaded” in HNet-related work can denote either explicit model composition or sequential re-use of a shared model under mode-selecting inputs (Wu et al., 2021).
3. Architecture and data representation in the HNet-style HDH formulation
The HDH network 0 is inspired by U-Net, but modified for the hiding-data-hiding purpose. Its input consists of two images concatenated channel-wise, for example 1 plus 2 to produce 3. The encoder/down-sampling path uses several convolution layers to reduce the feature map to 4, and the decoder/up-sampling path uses transposed convolutions to restore the image size to 5. Down-sampling layers use LeakyReLU, up-sampling layers use ReLU, batch normalization is used except in the first down-sampling layer, and dropout is used in the first two up-sampling layers. Unlike standard U-Net, no max-pooling and no cropping are used, because preserving information is important for extraction (Wu et al., 2021).
For style transfer, the network computes
6
where 7 should have the content of 8 and the style of 9. For data embedding, it computes
0
where 1 is the stego image and should remain visually close to the cover 2 while still allowing full recovery of 3. For data extraction, it computes
4
Because the same backbone is reused in all three modes, the encoder learns different feature couplings depending on input pairing: content-style fusion in style transfer, secret-bit injection in embedding, and trigger-conditioned secret reconstruction in extraction (Wu et al., 2021).
The secret data 5 is represented as a binary image made of disjoint 6 blocks, each carrying one secret bit. If the bit is 0, all pixels in the block are set to 0; if the bit is 1, all pixels in the block are set to 1. The actual payload length is
7
Since the final layer uses 8, output values lie in 9. Decoding is performed blockwise by averaging each block and assigning bit 1 if the average is greater than 0, and 0 otherwise. This yields a direct blockwise bit recovery mechanism (Wu et al., 2021).
4. Training objectives and optimization
The HDH model is trained jointly on style transfer and hiding/extraction. For style transfer, the network output is trained against a ground-truth style-transferred image 0 with
1
where 2 is the number of elements in 3. For cover 4, secret 5, and trigger 6, the embedding-plus-extraction loss is
7
The first term preserves visual similarity between stego and cover, and the second term reconstructs the secret accurately. The total loss is
8
with default values 9. Training is performed in a multi-task joint manner: for each batch, the style transfer task, embedding task, and extraction task are performed, and the network parameters are then updated. The optimizer is Adam with learning rate 0, 1, 2, and batch size 1 (Wu et al., 2021).
In box-free watermarking, the defender jointly trains HNet, D, and ENet, while GNet is pretrained and frozen. The joint loss is
3
with
4
5
6
The fidelity term forces 7 to look like 8, the mark term ensures watermark extraction from marked images and all-white output on unmarked or random images, and the adversarial term makes marked and unmarked outputs hard to distinguish (An et al., 24 Jul 2025).
5. Reverse engineering, attack models, and security limitations
The strict black-box threat model in the 2025 study grants the attacker query access to the cloud API, observation of only the released marked outputs 9, and no knowledge of the HNet architecture, HNet weights, ENet, or the intermediate output 0. The removal objective is
1
A successful attack either recovers the unmarked image 2 or produces an output whose ENet-extracted watermark is no longer the target 3. The attacks rely on specially crafted query inputs 4 that approximately satisfy 5, described as an “identity transformation” assumption. Examples given are rain-free images for deraining GNet and masked or minimally transformed inputs for image generation or editing (An et al., 24 Jul 2025).
The first attack learns an inverse operator for HNet. From curated queries, the attacker obtains approximate direct HNet samples 6 and trains 7 with
8
The paper characterizes this attack as simple, intuitive, query-based, and effective at removing the watermark, but also states that it yields unsatisfactory image quality relative to the original 9 because the inverse mapping is hard to learn in a nonlinear, high-dimensional setting (An et al., 24 Jul 2025).
The second attack exploits the equivalent additive property of box-free model watermarking. The marked output is written as
0
where 1 is the additive equivalent or latent representation of the watermark. The paper motivates this with a first-order Taylor expansion around 2 and verifies the approximation empirically by feeding the residual 3 to ENet:
4
Instead of inverting HNet, the attacker trains a forward surrogate
5
with
6
and then estimates
7
The paper argues that this forward-surrogate approach is better than inversion because it avoids the ill-conditioned inverse mapping, directly models the embedded residual, and reconstructs the unmarked image more faithfully (An et al., 24 Jul 2025).
Empirically, both attacks achieved
8
across all eight reported settings, corresponding to 100% watermark removal success against both victim systems—9 from Wu et al. (2020) and 0 from Zhang et al. (2024)—on both image deraining and image generation or text-image-to-image editing via Stable Diffusion. The forward-HNet attack was consistently better in image quality, with the best reported fidelity reaching 34.69 dB PSNR for 1 in deraining, and with MS-SSIM exceeding 2 in that setting. The ablation study further shows that if the attacker does not bypass GNet and instead trains on ordinary 3 pairs, 4 can remove watermarks only with severe quality degradation, while forward HNet fails to remove the watermark properly and instead mixes in source content (An et al., 24 Jul 2025).
6. Security interpretation, robustness measures, and neighboring terminology
The HDH framework shifts the security objective from merely hiding payloads in images to hiding the very presence of data-hiding tools by making sender and receiver appear to use ordinary style-transfer processing. The paper also discusses adversarial training with Gaussian noise to improve robustness, the use of error-correcting codes if needed, and security testing using XuNet steganalysis. In that formulation, the covert capability is concealed behind a benign application, and the style-transfer behavior is the visible cover for the hidden functions (Wu et al., 2021).
The 2025 attack paper reaches the complementary conclusion that cascading HNet after GNet does not make box-free watermarking secure under black-box API access. Its practical defense suggestion is API query screening / identity-transformation detection, for example by comparing input 5 and output 6 by Euclidean distance and, if they are too similar, returning 7 or issuing a warning. This suggests that HNet security depends not only on invisibility of the mark in 8, but also on the difficulty of isolating HNet behavior through query design (An et al., 24 Jul 2025).
A common source of terminological confusion is the distinction between HNet and Hidden Network (HNN). “HALO-CAT: A Hidden Network Processor with Activation-Localized CIM Architecture and Layer-Penetrative Tiling” concerns HNN processing, not a Cascaded Hiding Network. In that literature, a network is initialized with random weights, a sparse binary supermask selects a useful subnetwork, and HALO-CAT accelerates this HNN-style inference with Layer-Penetrative Tiling (LPT) and an Activation-Localized (AL) computing-in-memory architecture. The paper explicitly states that this is not a separate “Cascaded Hiding Network” model; the nearest analogue to “cascaded” is deep cross-layer execution or layer-fused scheduling. This distinction is important because HNN in the HALO-CAT sense is a hardware-software co-design target for inference acceleration, whereas HNet in the hiding literature is a concealment or watermark-embedding mechanism within an image-processing pipeline (Chen et al., 2023).